User Beware: Rooting Malware Found in 3rd Party App Stores

Think of third-party app stores as independent shops in the city where people go to as an alternative to the city mall. The mall practically has everything you need. In fact, almost everyone goes to the mall. The shops have items not available in the mall, and vice versa.

Some people would rather go to the small shops because of personal biases. The catch is, the mall guarantees user safety with each item it hands out. The shops however, regardless of their goodwill or knack for entrepreneurship, will have more difficulty spotting a potentially harmful product in its shelves.

To Play or Not to Play

Because some users have concerns with the app giant Google Play, they choose to download apps from third-party stores. For instance, there are no region locks for apps in some third-party app stores. Some developers of paid apps even partner with third-party app stores with purchase capability to give those who download from the partnered store considerable discounts. Third-party app stores can also be the preferred store due to its popularity in a specific region.

Android users have to keep in mind that installing apps from these third-party app stores requires users to allow the installation from “unknown sources”. Malicious apps have a history of popping up from these third party websites, a reason why it is often recommended that Android users must stick to Google Play. Because of Google’s security measures, we believe it is the safest platform for downloading apps. It is worth noting, however, that third-party app stores are implementing means to tighten their security.

Catching Our Attention

Malicious apps were recently seen making the rounds in some third-party app stores. They spoof popular apps, increasing the chances of getting selected and downloaded. These include popular mobile games, mobile security apps, camera apps, music streaming apps, and so on. They even share the exact same package and certification with their Google Play counterpart.

The most notable trait of these malicious apps, detected as ANDROIDOS_LIBSKIN.A, are their capability to root. That in itself can be a gateway to bigger threats as rooting Android phones can have many repercussions. However, the malware only downloads and installs other apps without the user’s knowledge. These secretly downloaded apps will then present themselves as ads luring users to downloading other apps from time to time. It can also be used to collect user data and forward them to the attacker.

Based on the data from our Trend Micro Mobile App Reputation Service, there are 1,163 malicious APKs detected as ANDROIDOS_ LIBSKIN.A. In addition, between January 29 and February 1, malicious apps detected as this malware have been downloaded in 169 countries and can be found in four third party app stores, namely Aptoide, Mobogenie, mobile9, and 9apps. We have already contacted these stores and informed them about these threats, but as of this writing, we have yet to receive any confirmation from their end.

Figure 1. Infected countries from Jan. 29 – Feb. 1

Infection Flow

Once a user installs the malicious app, the app loads the file libskin.so in the initial part of the application. An .SO or Shared Library file is a compiled library, in most cases from C or C++ source code. A programmer can write parts of the app in C or C++.

Figure 2. ANDROIDOS_LIBSKIN.A infection flow

The libskin.so unloads the ZIP or the APK file. The file installs itself automatically and is hidden within /lib directory to avoid detection. It then loads ZIP/APK, which in turn loads two .DEX files separately found within fp.JAR and fx.JAR. The .JAR files contain the malicious dexes which run silently and automatically.

Figure 3. fp.jar and fx.jar found inside the ZIP/APK file

fp.dex has two functions. First, it downloads the root module right_core.apk. After rooting the phone, it does its second function, which is to download malicious apps from a set of URLs and install them in the system directory.

Figure 4. right_core.apk replacing the original system file

Figure 5. URLs where the malware downloads other malicious apps

fx.dex is responsible for the pop-up ad picture or download reminder that goes off with some intervals. Because of this behavior, users cannot tell which app is responsible for the pop-up.

Figure 6. popup images downloaded from URLs

The popups lure users into clicking unwanted apps. Clicking on the ads may not necessarily lead the user to the respective app or site. Other than that, ANDROIDOS_ LIBSKIN.A can also collect users’ data and send them back to a remote malicious user. This includes data about the user’s phone, subscription IDs, device ID, language, network type, apps running, network name, and so on.

Figure 7. built-in commands used in exfiltrating data

Drawing the Line

Though we highly recommend to sticking to Google Play for Android users, downloading apps from third-party stores still has its set of merits. However, we do warn users to approach downloading apps with caution. One option that users may do to avoid downloading fake apps is to download the app from the developer’s website. They may also check the reputation of the store before downloading anything. Users are advised to install Trend Micro Mobile Security Personal Edition, which detects these malicious apps.

For developers publishing their apps, make sure to partner with reputable stores. Secure coding also helps prevent cybercriminals from replicate or modify their work to include malware.

The SHA1 hashes and URLs related to this threat can be found in this appendix.

Update as of February 14, 2016, 10:00 P.M. PST (UTC -8)

Aptoide has informed us that the malicious apps hosted on their store have been removed; they are also updating their own systems to block this threat in the future.